[26820] in bugtraq
uuuppz.com - Advisory 002 - mIRC $asctime overflow
daemon@ATHENA.MIT.EDU (James Martin)
Tue Aug 27 12:30:32 2002
Message-ID: <003901c24dd1$e21c3c00$d200a8c0@vitalograph.ie>
From: "James Martin" <fulldisclose@uuuppz.com>
To: <vulndiscuss@vulnwatch.org>, <vulnwatch@vulnwatch.org>,
<vuln-dev@securityfocus.com>, <news@securiteam.com>,
"Windows NTBugtraq Mailing List" <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
<full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>
Date: Tue, 27 Aug 2002 14:58:50 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
General Info
- ------------
Researched by: James Martin
Full advisory: http://www.uuuppz.com/research/adv-002-mirc.htm
Exploit: Proof of concept code available at above URL.
Product: mIRC
Website: http://www.mirc.com
Version: V6.00, V6.01, V6.02.
Fix: Download mIRC 6.03 from http://www.mirc.com
Please do not download from unofficial sites, as you may
download
a trojaned version.
Type: Buffer Overrun
Risk: Low to High
Summary
- -------
mIRC provides scripting capabilities to allow extension of the
client. A flaw exists in the $asctime identifier, which is used to
format Unix style time stamps. Passing a string of sufficient length
to $asctime will cause a buffer overflow on the stack. This allows
the execution of byte code through calling $asctime with a carefully
constructed string.
The default script included with mIRC does not call $asctime at any
point. However the majority of major scripts available for download
call $asctime to decode data provided by the irc server. Many scripts
call $asctime on data provided from other remote sources. The
exploitation of this flaw therefore depends on the script installed
by the victim.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPWuC4/L9eRNyreu5EQJe3QCgongMQqFL2oZyX1NWicRxdmdXipIAoKb0
YJPJQ+TJoz9kjC2DKkg6m5OJ
=0cKJ
-----END PGP SIGNATURE-----
